cas 6.1.7, Anyone knows setting for auto register MFA device vs user putting a name/skip step
68 views
Skip to first unread message
randomuser878
Jul 16, 2020, 4:07:48 PM7/16/20
to CAS Community
Hello
Trying to simplify the MFA flow and skip the register device. For some reason a configuration might be missing somewhere. I think I have seen it working as such in cas 5.3.x but it's been a while.
Generally, the user authenticates, followed by MFA phase then next screen is the device registration/skip.
Interested on automation of the third screen to be auto registration and transparent to the user.
Any of the 4 config would give me enough leads please yubikey, google, u2f, simple (email/sms)
Unless I am mistaken, I need the below else devices are not trusted per MFA desired maxAge (cookie) and timeUnit (storage) time to live. I would think there is some other parameter missing as well.
cas.authn.mfa.gauth.trustedDeviceEnabled=true
cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication
cas.authn.mfa.trusted.deviceRegistrationEnabled=true
cas.authn.mfa.trusted.timeUnit=DAYS
cas.authn.mfa.trusted.expiration=1
...
cas.authn.mfa.trusted.deviceFingerprint.cookie.name=MFATRUSTED
cas.authn.mfa.trusted.deviceFingerprint.cookie.domain=
cas.authn.mfa.trusted.deviceFingerprint.cookie.path=/cas
cas.authn.mfa.trusted.deviceFingerprint.cookie.httpOnly=true
cas.authn.mfa.trusted.deviceFingerprint.cookie.secure=true
#
cas.authn.mfa.trusted.deviceFingerprint.cookie.maxAge=14400
cas.authn.mfa.trusted.deviceFingerprint.componentSeparator=@
cas.authn.mfa.trusted.deviceFingerprint.cookie.enabled=true
cas.authn.mfa.trusted.deviceFingerprint.cookie.order=1
cas.authn.mfa.trusted.deviceFingerprint.clientIp.enabled=true
cas.authn.mfa.trusted.deviceFingerprint.clientIp.order=2
cas.authn.mfa.trusted.deviceFingerprint.userAgent.enabled=true
cas.authn.mfa.trusted.deviceFingerprint.userAgent.order=3
Thanks for your help.
Trying to simplify the MFA flow and skip the register device. For some reason a configuration might be missing somewhere. I think I have seen it working as such in cas 5.3.x but it's been a while.
Generally, the user authenticates, followed by MFA phase then next screen is the device registration/skip.
Interested on automation of the third screen to be auto registration and transparent to the user.
Any of the 4 config would give me enough leads please yubikey, google, u2f, simple (email/sms)
Unless I am mistaken, I need the below else devices are not trusted per MFA desired maxAge (cookie) and timeUnit (storage) time to live. I would think there is some other parameter missing as well.
cas.authn.mfa.gauth.trustedDeviceEnabled=true
cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication
cas.authn.mfa.trusted.deviceRegistrationEnabled=true
cas.authn.mfa.trusted.timeUnit=DAYS
cas.authn.mfa.trusted.expiration=1
...
cas.authn.mfa.trusted.deviceFingerprint.cookie.name=MFATRUSTED
cas.authn.mfa.trusted.deviceFingerprint.cookie.domain=
cas.authn.mfa.trusted.deviceFingerprint.cookie.path=/cas
cas.authn.mfa.trusted.deviceFingerprint.cookie.httpOnly=true
cas.authn.mfa.trusted.deviceFingerprint.cookie.secure=true
#
cas.authn.mfa.trusted.deviceFingerprint.cookie.maxAge=14400
cas.authn.mfa.trusted.deviceFingerprint.componentSeparator=@
cas.authn.mfa.trusted.deviceFingerprint.cookie.enabled=true
cas.authn.mfa.trusted.deviceFingerprint.cookie.order=1
cas.authn.mfa.trusted.deviceFingerprint.clientIp.enabled=true
cas.authn.mfa.trusted.deviceFingerprint.clientIp.order=2
cas.authn.mfa.trusted.deviceFingerprint.userAgent.enabled=true
cas.authn.mfa.trusted.deviceFingerprint.userAgent.order=3
Thanks for your help.
randomuser878
Jul 17, 2020, 1:45:53 PM7/17/20
to CAS Community, randomuser878
Updated parameters with new naming convention to no avail.
This from parameter extraction from cas-server-support-shell /find parameter names
----------------------------------------------------------------------
Property: cas.authn.mfa.trusted.device-registration-enabled
Group: cas.authn.mfa.trusted
Default Value: true
Type: java.lang.Boolean
Summary: Indicates whether CAS should ask for device registration consent or execute it automatically.
Description: Indicates whether CAS should ask for device registration consent or execute it automatically.
Deprecated: no
To recap
cas.authn.mfa.gauth. trusted.device-registration-enabled=true
and any given MFA provider
cas.authn.mfa.yubikey.trusted-device-enabled
cas.authn.mfa.gauth.trusted-device-enabled
cas.authn.mfa.u2f.trusted-device-enabled
cas.authn.mfa.simple.trusted-device-enabled
cas.authn.mfa.trusted.deviceFingerprint.cookie.name=MFATRUSTED
1) The cookie MFATRUSTED is populated and multifactor_authentication_trust_record db table is populated if and only if the user enters a name on the last screen and does not choose skip.
Authentication finishes irrespective of providing the name or skipping. (expected)
2) Setting cas.authn.mfa.trusted.device-registration-enabled=false and all others the same
The cookie MFATRUSTED is never populated and multifactor_authentication_trust_record db table is never populated
Authentication finishes (expected)
Am I miss-understanding the process here. I really think the auto registration was functional at least on version 5.3.x.
Is the execute it automatically imply the behavior as #2 above?
Is there any other way to auto-register device (pretty much auto user consent?).
Any parameter value might have missed or this is not intended to function as such?
Thanks.
This from parameter extraction from cas-server-support-shell /find parameter names
----------------------------------------------------------------------
Property: cas.authn.mfa.trusted.device-registration-enabled
Group: cas.authn.mfa.trusted
Default Value: true
Type: java.lang.Boolean
Summary: Indicates whether CAS should ask for device registration consent or execute it automatically.
Description: Indicates whether CAS should ask for device registration consent or execute it automatically.
Deprecated: no
To recap
cas.authn.mfa.gauth. trusted.device-registration-enabled=true
and any given MFA provider
cas.authn.mfa.yubikey.trusted-device-enabled
cas.authn.mfa.gauth.trusted-device-enabled
cas.authn.mfa.u2f.trusted-device-enabled
cas.authn.mfa.simple.trusted-device-enabled
cas.authn.mfa.trusted.deviceFingerprint.cookie.name=MFATRUSTED
1) The cookie MFATRUSTED is populated and multifactor_authentication_trust_record db table is populated if and only if the user enters a name on the last screen and does not choose skip.
Authentication finishes irrespective of providing the name or skipping. (expected)
2) Setting cas.authn.mfa.trusted.device-registration-enabled=false and all others the same
The cookie MFATRUSTED is never populated and multifactor_authentication_trust_record db table is never populated
Authentication finishes (expected)
Am I miss-understanding the process here. I really think the auto registration was functional at least on version 5.3.x.
Is the execute it automatically imply the behavior as #2 above?
Is there any other way to auto-register device (pretty much auto user consent?).
Any parameter value might have missed or this is not intended to function as such?
Thanks.
Reply all
Reply to author
Forward
0 new messages